Skip to main content

Linux Kernel EUVDEUVD-2026-26561

| CVE-2026-31748 HIGH
Out-of-bounds Write (CWE-787)
2026-05-01 Linux
7.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
SUSE
HIGH
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

7
Analysis Generated
May 07, 2026 - 19:38 vuln.today
CVSS changed
May 07, 2026 - 19:37 NVD
7.8 (HIGH)
Patch available
May 01, 2026 - 16:02 EUVD
Patch released
May 01, 2026 - 15:24 nvd
Patch available
EUVD ID Assigned
May 01, 2026 - 15:00 euvd
EUVD-2026-26561
CVE Published
May 01, 2026 - 14:14 nvd
HIGH 7.8
CVE Published
May 01, 2026 - 14:14 nvd
N/A

DescriptionCVE.org

In the Linux kernel, the following vulnerability has been resolved:

comedi: me_daq: Fix potential overrun of firmware buffer

me2600_xilinx_download() loads the firmware that was requested by request_firmware(). It is possible for it to overrun the source buffer because it blindly trusts the file format. It reads a data stream length from the first 4 bytes into variable file_length and reads the data stream contents of length file_length from offset 16 onwards. Although it checks that the supplied firmware is at least 16 bytes long, it does not check that it is long enough to contain the data stream.

Add a test to ensure that the supplied firmware is long enough to contain the header and the data stream. On failure, log an error and return -EINVAL.

AnalysisAI

Buffer overflow in Linux kernel COMEDI me_daq driver allows local authenticated users to achieve arbitrary code execution with kernel privileges. The me2600_xilinx_download() function fails to validate firmware file length before reading data streams, enabling out-of-bounds memory access during firmware loading operations. Patches available across multiple stable kernel versions (5.10.253, 5.15.203, 6.1.168, 6.6.134, 6.12.81, 6.18.22, 6.19.12, 7.0). EPSS score of 0.02% (7th percentile) indicates low probability of widespread exploitation despite high CVSS 7.8 rating, and no active exploitation or public exploit code identified at time of analysis.

Technical ContextAI

The vulnerability resides in the COMEDI (Control and Measurement Device Interface) subsystem, specifically in the me_daq driver for Meilhaus data acquisition hardware. The me2600_xilinx_download() function implements firmware loading for Xilinx FPGAs on ME-2600 devices. It uses request_firmware() to obtain firmware files, then reads a 4-byte length field (file_length) from offset 0 and attempts to read that many bytes starting at offset 16. The original code validates only that firmware size >= 16 bytes but never checks if (firmware_size >= 16 + file_length), creating a classic CWE-787 (Out-of-bounds Write) condition. An attacker who can supply malicious firmware files (via compromised firmware repositories, local file placement with sufficient privileges, or supply chain attacks) can specify an arbitrarily large file_length value, causing the kernel to read beyond the allocated firmware buffer into adjacent kernel memory. This can lead to information disclosure, memory corruption, or kernel crash. The fix adds explicit validation: if (fw->size < (file_length + 16)) return -EINVAL, preventing the overrun. Affected CPE: cpe:2.3:a:linux:linux:*:*:*:*:*:*:*:* from kernel 2.6.29 (when commit 85acac61096f introduced the vulnerable code) through multiple stable branches prior to the patches.

RemediationAI

Upgrade to patched kernel versions: 5.10.253+ for 5.10.y branch, 5.15.203+ for 5.15.y, 6.1.168+ for 6.1.y, 6.6.134+ for 6.6.y, 6.12.81+ for 6.12.y, 6.18.22+ for 6.18.y, 6.19.12+ for 6.19.y, or 7.0+ for mainline. Distribution-specific updates should be applied via normal package management once vendors incorporate these stable kernel releases. Patch commits available at https://git.kernel.org/stable/c/[commit_hash] for each affected branch. For systems unable to immediately upgrade, compensating controls include: (1) Blacklist the me_daq kernel module if ME-2600 hardware is not in use (add 'blacklist me_daq' to /etc/modprobe.d/blacklist.conf and rebuild initramfs) - eliminates attack surface entirely but renders hardware non-functional. (2) Restrict firmware loading paths by implementing strict file permissions on /lib/firmware and /sys/class/firmware directories (chmod 700, chown root:root) and monitor for unauthorized firmware file modifications using file integrity monitoring - reduces risk of malicious firmware injection but may complicate legitimate firmware updates. (3) Apply kernel module signing policies to prevent unsigned module loading if not already enforced - provides defense-in-depth but requires certificate infrastructure and doesn't prevent exploitation if attacker has sufficient privileges. Note that firmware loading typically requires CAP_SYS_ADMIN capability, so enforcing principle of least privilege and removing unnecessary sudo/capability grants reduces exposure. Industrial control systems should prioritize patching during scheduled maintenance windows due to potential operational impact of kernel updates.

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed

Share

EUVD-2026-26561 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy